1. Login to cPanel from the client area and click on Files >> Directory Privacy. You will get a modal popup with various options, we need to select Web Root and then click Go button.
2. Click on the wp-admin directory in the list of files/folders displayed. Check Password protect this directory, enter a name, and click Save button. Click on Go Back link to return to the wp-admin directory privacy options. Enter a Username and click on the Password Generator button to randomly generate a unique and secure password. Click on the Save button below the Password Strength status bar to create your new user.
3. Back to cPanel home. Files >> File Manager. Ensure Show Hidden Files (dotfiles) is checked and go to your Web Root (public_html) folder. If you do not get a prompt when opening File Manager, you can click on the Settings button in the top right corner and save these in your preferences.
4. Click on the wp-admin folder in the left hand directory tree. Right click on the .htaccess file in the wp-admin folder, select the Edit link to open a new window with a basic text editor. Add this text to the top of the .htaccess file, then click on the Save Changes button:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
5. Click on the public_html folder in the left hand directory tree. Right click on the .htaccess file in the public_html folder, select the Edit link to open a new window with a basic text editor. Add this text to the top of the .htaccess file, then click on the Save Changes button:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
You should now have the /public_html/wp-admin/.htaccess file that protects the wp-admin folder. The same protection was copied to your main /public_html/.htaccess file. Now the wp-login.php file is also password protected.
If you are getting a redirect loop error message in your browser, please ensure you have copied the ErrorDocument lines into both of your edited .htaccess files. Also ensure you have allowed requests to wp-admin/admin-ajax.php without password protection, this is completed when following the steps above correctly.
